@rigour-labs/core 1.7.0 → 2.1.0

package/dist/context.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/context.test.js

@@ -0,0 +1,61 @@
+import { describe, it, expect, beforeAll, afterAll } from 'vitest';
+import { GateRunner } from '../src/gates/runner.js';
+import fs from 'fs-extra';
+import path from 'path';
+import { fileURLToPath } from 'url';
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
+const TEST_CWD = path.join(__dirname, '../temp-test-context');
+describe('Context Awareness Engine', () => {
+    beforeAll(async () => {
+        await fs.ensureDir(TEST_CWD);
+    });
+    afterAll(async () => {
+        await fs.remove(TEST_CWD);
+    });
+    it('should detect context drift for redundant env suffixes (Golden Example)', async () => {
+        // Setup: Define standard GCP_PROJECT_ID
+        await fs.writeFile(path.join(TEST_CWD, '.env.example'), 'GCP_PROJECT_ID=my-project\n');
+        // Setup: Use drifted GCP_PROJECT_ID_PRODUCTION
+        await fs.writeFile(path.join(TEST_CWD, 'feature.js'), `
+            const id = process.env.GCP_PROJECT_ID_PRODUCTION;
+            console.log(id);
+        `);
+        const config = {
+            version: 1,
+            commands: {},
+            gates: {
+                context: {
+                    enabled: true,
+                    sensitivity: 0.8,
+                    mining_depth: 10,
+                },
+            },
+            output: { report_path: 'rigour-report.json' }
+        };
+        const runner = new GateRunner(config);
+        const report = await runner.run(TEST_CWD);
+        const driftFailures = report.failures.filter(f => f.id === 'context-drift');
+        expect(driftFailures.length).toBeGreaterThan(0);
+        expect(driftFailures[0].details).toContain('GCP_PROJECT_ID_PRODUCTION');
+        expect(driftFailures[0].hint).toContain('GCP_PROJECT_ID');
+    });
+    it('should not flag valid environment variables', async () => {
+        await fs.writeFile(path.join(TEST_CWD, 'valid.js'), `
+            const id = process.env.GCP_PROJECT_ID;
+        `);
+        const config = {
+            version: 1,
+            commands: {},
+            gates: {
+                context: { enabled: true },
+            },
+            output: { report_path: 'rigour-report.json' }
+        };
+        const runner = new GateRunner(config);
+        const report = await runner.run(TEST_CWD);
+        const driftFailures = report.failures.filter(f => f.id === 'context-drift');
+        // Filter out failures from other files if they still exist in TEST_CWD
+        const specificFailures = driftFailures.filter(f => f.files?.includes('valid.js'));
+        expect(specificFailures.length).toBe(0);
+    });
+});

package/dist/discovery.js

@@ -1,18 +1,12 @@
-"use strict";
-var __importDefault = (this && this.__importDefault) || function (mod) {
-    return (mod && mod.__esModule) ? mod : { "default": mod };
-};
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.DiscoveryService = void 0;
-const fs_extra_1 = __importDefault(require("fs-extra"));
-const path_1 = __importDefault(require("path"));
-const index_js_1 = require("./templates/index.js");
-class DiscoveryService {
+import fs from 'fs-extra';
+import path from 'path';
+import { TEMPLATES, PARADIGM_TEMPLATES, UNIVERSAL_CONFIG } from './templates/index.js';
+export class DiscoveryService {
     async discover(cwd) {
-        let config = { ...index_js_1.UNIVERSAL_CONFIG };
+        let config = { ...UNIVERSAL_CONFIG };
         const matches = {};
         // 1. Detect Role (ui, api, infra, data)
-        for (const template of index_js_1.TEMPLATES) {
+        for (const template of TEMPLATES) {
             const marker = await this.findFirstMarker(cwd, template.markers, true); // Search content for roles too
             if (marker) {
                 config = this.mergeConfig(config, template.config);
@@ -21,7 +15,7 @@ class DiscoveryService {
             }
         }
         // 2. Detect Paradigm (oop, functional)
-        for (const template of index_js_1.PARADIGM_TEMPLATES) {
+        for (const template of PARADIGM_TEMPLATES) {
             const marker = await this.findFirstMarker(cwd, template.markers, true); // Search content
             if (marker) {
                 config = this.mergeConfig(config, template.config);
@@ -42,9 +36,9 @@ class DiscoveryService {
     }
     async findFirstMarker(cwd, markers, searchContent = false) {
         for (const marker of markers) {
-            const fullPath = path_1.default.join(cwd, marker);
+            const fullPath = path.join(cwd, marker);
             // File/Directory existence check
-            if (await fs_extra_1.default.pathExists(fullPath)) {
+            if (await fs.pathExists(fullPath)) {
                 return marker;
             }
             // Deep content check for paradigms
@@ -60,7 +54,7 @@ class DiscoveryService {
         // Simple heuristic: search in top 5 source files
         const files = await this.findSourceFiles(cwd);
         for (const file of files) {
-            const content = await fs_extra_1.default.readFile(file, 'utf-8');
+            const content = await fs.readFile(file, 'utf-8');
             if (content.includes(pattern))
                 return true;
         }
@@ -70,10 +64,10 @@ class DiscoveryService {
         // Find a few files to sample
         const extensions = ['.ts', '.js', '.py', '.go', '.java', '.tf', 'package.json'];
         const samples = [];
-        const files = await fs_extra_1.default.readdir(cwd);
+        const files = await fs.readdir(cwd);
         for (const file of files) {
             if (extensions.some(ext => file.endsWith(ext))) {
-                samples.push(path_1.default.join(cwd, file));
+                samples.push(path.join(cwd, file));
                 if (samples.length >= 5)
                     break;
             }
@@ -81,4 +75,3 @@ class DiscoveryService {
         return samples;
     }
 }
-exports.DiscoveryService = DiscoveryService;

package/dist/environment.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/environment.test.js

@@ -0,0 +1,97 @@
+import { describe, it, expect, beforeEach, afterEach } from 'vitest';
+import { GateRunner } from './gates/runner.js';
+import { ConfigSchema } from './types/index.js';
+import fs from 'fs-extra';
+import path from 'path';
+describe('Environment Alignment Gate', () => {
+    const testDir = path.join(process.cwd(), 'temp-test-env');
+    beforeEach(async () => {
+        await fs.ensureDir(testDir);
+    });
+    afterEach(async () => {
+        await fs.remove(testDir);
+    });
+    it('should detect tool version mismatch (Explicit)', async () => {
+        const rawConfig = {
+            version: 1,
+            gates: {
+                environment: {
+                    enabled: true,
+                    enforce_contracts: false,
+                    tools: {
+                        node: ">=99.0.0" // Guaranteed to fail
+                    }
+                }
+            }
+        };
+        const config = ConfigSchema.parse(rawConfig);
+        const runner = new GateRunner(config);
+        const report = await runner.run(testDir);
+        expect(report.status).toBe('FAIL');
+        const envFailure = report.failures.find(f => f.id === 'environment-alignment');
+        expect(envFailure).toBeDefined();
+        expect(envFailure?.details).toContain('node');
+        expect(envFailure?.details).toContain('version mismatch');
+    });
+    it('should detect missing environment variables', async () => {
+        const rawConfig = {
+            version: 1,
+            gates: {
+                environment: {
+                    enabled: true,
+                    required_env: ["RIGOUR_TEST_VAR_MISSING"]
+                }
+            }
+        };
+        const config = ConfigSchema.parse(rawConfig);
+        const runner = new GateRunner(config);
+        const report = await runner.run(testDir);
+        expect(report.status).toBe('FAIL');
+        expect(report.failures[0].details).toContain('RIGOUR_TEST_VAR_MISSING');
+    });
+    it('should discover contracts from pyproject.toml', async () => {
+        // Create mock pyproject.toml with a version that will surely fail
+        await fs.writeFile(path.join(testDir, 'pyproject.toml'), `
+[tool.ruff]
+ruff = ">=99.14.0"
+`);
+        const rawConfig = {
+            version: 1,
+            gates: {
+                environment: {
+                    enabled: true,
+                    enforce_contracts: true,
+                    tools: {} // Should discover ruff from file
+                }
+            }
+        };
+        const config = ConfigSchema.parse(rawConfig);
+        const runner = new GateRunner(config);
+        const report = await runner.run(testDir);
+        // This might pass or fail depending on the local ruff version, 
+        // but we want to check if the gate attempted to check ruff.
+        // If ruff is missing, it will fail with "is missing".
+        const ruffFailure = report.failures.find(f => f.details.includes('ruff'));
+        expect(ruffFailure).toBeDefined();
+    });
+    it('should prioritize environment gate and run it first', async () => {
+        const rawConfig = {
+            version: 1,
+            gates: {
+                max_file_lines: 1,
+                environment: {
+                    enabled: true,
+                    required_env: ["MANDATORY_SECRET_MISSING"]
+                }
+            }
+        };
+        const config = ConfigSchema.parse(rawConfig);
+        // Create a file that would fail max_file_lines
+        await fs.writeFile(path.join(testDir, 'large.js'), 'line1\nline2\nline3');
+        const runner = new GateRunner(config);
+        const report = await runner.run(testDir);
+        // In a real priority system, we might want to stop after environment failure.
+        // Currently GateRunner runs all, but environment-alignment has been unshifted.
+        expect(Object.keys(report.summary)[0]).toBe('environment-alignment');
+    });
+});

package/dist/gates/ast-handlers/base.d.ts

@@ -0,0 +1,12 @@
+import { Failure, Gates } from '../../types/index.js';
+export interface ASTHandlerContext {
+    cwd: string;
+    file: string;
+    content: string;
+}
+export declare abstract class ASTHandler {
+    protected config: Gates;
+    constructor(config: Gates);
+    abstract supports(file: string): boolean;
+    abstract run(context: ASTHandlerContext): Promise<Failure[]>;
+}

package/dist/gates/ast-handlers/base.js

@@ -0,0 +1,6 @@
+export class ASTHandler {
+    config;
+    constructor(config) {
+        this.config = config;
+    }
+}

package/dist/gates/ast-handlers/python.d.ts

@@ -0,0 +1,6 @@
+import { ASTHandler, ASTHandlerContext } from './base.js';
+import { Failure } from '../../types/index.js';
+export declare class PythonHandler extends ASTHandler {
+    supports(file: string): boolean;
+    run(context: ASTHandlerContext): Promise<Failure[]>;
+}

package/dist/gates/ast-handlers/python.js

@@ -0,0 +1,64 @@
+import { execa } from 'execa';
+import { ASTHandler } from './base.js';
+import path from 'path';
+import { fileURLToPath } from 'url';
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
+export class PythonHandler extends ASTHandler {
+    supports(file) {
+        return /\.py$/.test(file);
+    }
+    async run(context) {
+        const failures = [];
+        const scriptPath = path.join(__dirname, 'python_parser.py');
+        try {
+            const { stdout } = await execa('python3', [scriptPath], {
+                input: context.content,
+                cwd: context.cwd
+            });
+            const metrics = JSON.parse(stdout);
+            if (metrics.error)
+                return [];
+            const astConfig = this.config.ast || {};
+            const maxComplexity = astConfig.complexity || 10;
+            const maxParams = astConfig.max_params || 5;
+            const maxMethods = astConfig.max_methods || 10;
+            for (const item of metrics) {
+                if (item.type === 'function') {
+                    if (item.parameters > maxParams) {
+                        failures.push({
+                            id: 'AST_MAX_PARAMS',
+                            title: `Function '${item.name}' has ${item.parameters} parameters (max: ${maxParams})`,
+                            details: `High parameter count detected in ${context.file} at line ${item.lineno}`,
+                            files: [context.file],
+                            hint: `Reduce number of parameters or use an options object.`
+                        });
+                    }
+                    if (item.complexity > maxComplexity) {
+                        failures.push({
+                            id: 'AST_COMPLEXITY',
+                            title: `Function '${item.name}' has complexity of ${item.complexity} (max: ${maxComplexity})`,
+                            details: `High complexity detected in ${context.file} at line ${item.lineno}`,
+                            files: [context.file],
+                            hint: `Refactor '${item.name}' into smaller, more focused functions.`
+                        });
+                    }
+                }
+                else if (item.type === 'class') {
+                    if (item.methods > maxMethods) {
+                        failures.push({
+                            id: 'AST_MAX_METHODS',
+                            title: `Class '${item.name}' has ${item.methods} methods (max: ${maxMethods})`,
+                            details: `God Object pattern detected in ${context.file} at line ${item.lineno}`,
+                            files: [context.file],
+                            hint: `Split class '${item.name}' into smaller services.`
+                        });
+                    }
+                }
+            }
+        }
+        catch (e) {
+            // If python3 is missing, we skip AST but other gates still run
+        }
+        return failures;
+    }
+}

package/dist/gates/ast-handlers/typescript.d.ts

@@ -0,0 +1,9 @@
+import { ASTHandler, ASTHandlerContext } from './base.js';
+import { Failure } from '../../types/index.js';
+export declare class TypeScriptHandler extends ASTHandler {
+    supports(file: string): boolean;
+    run(context: ASTHandlerContext): Promise<Failure[]>;
+    private analyzeSourceFile;
+    private checkBoundary;
+    private getNodeName;
+}

package/dist/gates/ast-handlers/typescript.js

@@ -0,0 +1,110 @@
+import ts from 'typescript';
+import { ASTHandler } from './base.js';
+import micromatch from 'micromatch';
+import path from 'path';
+export class TypeScriptHandler extends ASTHandler {
+    supports(file) {
+        return /\.(ts|js|tsx|jsx)$/.test(file);
+    }
+    async run(context) {
+        const failures = [];
+        const sourceFile = ts.createSourceFile(context.file, context.content, ts.ScriptTarget.Latest, true);
+        this.analyzeSourceFile(sourceFile, context.file, failures);
+        return failures;
+    }
+    analyzeSourceFile(sourceFile, relativePath, failures) {
+        const astConfig = this.config.ast || {};
+        const maxComplexity = astConfig.complexity || 10;
+        const maxMethods = astConfig.max_methods || 10;
+        const maxParams = astConfig.max_params || 5;
+        const visit = (node) => {
+            if (ts.isFunctionDeclaration(node) || ts.isMethodDeclaration(node) || ts.isArrowFunction(node)) {
+                const name = this.getNodeName(node);
+                if (node.parameters.length > maxParams) {
+                    failures.push({
+                        id: 'AST_MAX_PARAMS',
+                        title: `Function '${name}' has ${node.parameters.length} parameters (max: ${maxParams})`,
+                        details: `High parameter count detected in ${relativePath}`,
+                        files: [relativePath],
+                        hint: `Reduce number of parameters or use an options object.`
+                    });
+                }
+                let complexity = 1;
+                const countComplexity = (n) => {
+                    if (ts.isIfStatement(n) || ts.isCaseClause(n) || ts.isDefaultClause(n) ||
+                        ts.isForStatement(n) || ts.isForInStatement(n) || ts.isForOfStatement(n) ||
+                        ts.isWhileStatement(n) || ts.isDoStatement(n) || ts.isConditionalExpression(n)) {
+                        complexity++;
+                    }
+                    if (ts.isBinaryExpression(n)) {
+                        if (n.operatorToken.kind === ts.SyntaxKind.AmpersandAmpersandToken ||
+                            n.operatorToken.kind === ts.SyntaxKind.BarBarToken) {
+                            complexity++;
+                        }
+                    }
+                    ts.forEachChild(n, countComplexity);
+                };
+                ts.forEachChild(node, countComplexity);
+                if (complexity > maxComplexity) {
+                    failures.push({
+                        id: 'AST_COMPLEXITY',
+                        title: `Function '${name}' has cyclomatic complexity of ${complexity} (max: ${maxComplexity})`,
+                        details: `High complexity detected in ${relativePath}`,
+                        files: [relativePath],
+                        hint: `Refactor '${name}' into smaller, more focused functions.`
+                    });
+                }
+            }
+            if (ts.isClassDeclaration(node)) {
+                const name = node.name?.text || 'Anonymous Class';
+                const methods = node.members.filter(ts.isMethodDeclaration);
+                if (methods.length > maxMethods) {
+                    failures.push({
+                        id: 'AST_MAX_METHODS',
+                        title: `Class '${name}' has ${methods.length} methods (max: ${maxMethods})`,
+                        details: `God Object pattern detected in ${relativePath}`,
+                        files: [relativePath],
+                        hint: `Class '${name}' is becoming too large. Split it into smaller services.`
+                    });
+                }
+            }
+            if (ts.isImportDeclaration(node)) {
+                const importPath = node.moduleSpecifier.text;
+                this.checkBoundary(importPath, relativePath, failures);
+            }
+            ts.forEachChild(node, visit);
+        };
+        ts.forEachChild(sourceFile, visit);
+    }
+    checkBoundary(importPath, relativePath, failures) {
+        const boundaries = this.config.architecture?.boundaries || [];
+        for (const rule of boundaries) {
+            if (micromatch.isMatch(relativePath, rule.from)) {
+                const resolved = importPath.startsWith('.')
+                    ? path.join(path.dirname(relativePath), importPath)
+                    : importPath;
+                if (rule.mode === 'deny' && micromatch.isMatch(resolved, rule.to)) {
+                    failures.push({
+                        id: 'ARCH_BOUNDARY',
+                        title: `Architectural Violation`,
+                        details: `'${relativePath}' is forbidden from importing '${importPath}' (denied by boundary rule).`,
+                        files: [relativePath],
+                        hint: `Remove this import to maintain architectural layering.`
+                    });
+                }
+            }
+        }
+    }
+    getNodeName(node) {
+        if (ts.isFunctionDeclaration(node) || ts.isMethodDeclaration(node)) {
+            return node.name?.getText() || 'anonymous';
+        }
+        if (ts.isArrowFunction(node)) {
+            const parent = node.parent;
+            if (ts.isVariableDeclaration(parent))
+                return parent.name.getText();
+            return 'anonymous arrow';
+        }
+        return 'unknown';
+    }
+}

package/dist/gates/ast-handlers/universal.d.ts

@@ -0,0 +1,8 @@
+import { ASTHandler, ASTHandlerContext } from './base.js';
+import { Failure } from '../../types/index.js';
+export declare class UniversalASTHandler extends ASTHandler {
+    private parser?;
+    private languages;
+    supports(file: string): boolean;
+    run(context: ASTHandlerContext): Promise<Failure[]>;
+}

package/dist/gates/ast-handlers/universal.js

@@ -0,0 +1,156 @@
+import * as _Parser from 'web-tree-sitter';
+const Parser = _Parser.default || _Parser;
+import { ASTHandler } from './base.js';
+import path from 'path';
+import { fileURLToPath } from 'url';
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
+export class UniversalASTHandler extends ASTHandler {
+    parser;
+    languages = {
+        '.go': {
+            grammarPath: '../../vendor/grammars/tree-sitter-go.wasm',
+            extensions: ['.go'],
+            queries: {
+                complexity: '(if_statement) (for_statement) (select_statement) (case_clause)',
+                nesting: '(if_statement (block . (if_statement))) (for_statement (block . (for_statement)))',
+                parameters: '(parameter_list (parameter_declaration) @param)',
+                methods: '(method_declaration) @method (function_declaration) @method',
+                securitySinks: '(call_expression function: (selector_expression field: (field_identifier) @id (#match? @id "^(Command|exec|System)$")))',
+                ecosystemBlunders: '(if_statement !condition: (binary_expression left: (identifier) @err (#eq? @err "err")))' // Missing err check
+            }
+        },
+        '.py': {
+            grammarPath: '../../vendor/grammars/tree-sitter-python.wasm',
+            extensions: ['.py'],
+            queries: {
+                complexity: '(if_statement) (for_statement) (while_statement) (with_statement)',
+                nesting: '(if_statement (block (if_statement)))',
+                parameters: '(parameters (identifier) @param)',
+                methods: '(function_definition) @method',
+                securitySinks: '(call_expression function: (identifier) @func (#match? @func "^(eval|exec|os\\.system)$"))',
+                ecosystemBlunders: '(parameters (default_parameter value: (list) @mutable))' // Mutable default
+            }
+        },
+        '.java': {
+            grammarPath: '../../vendor/grammars/tree-sitter-java.wasm',
+            extensions: ['.java'],
+            queries: {
+                complexity: '(if_statement) (for_statement) (while_statement) (switch_label)',
+                nesting: '(if_statement (block (if_statement))) (for_statement (block (for_statement)))',
+                parameters: '(formal_parameters (formal_parameter) @param)',
+                methods: '(method_declaration) @method',
+                securitySinks: '(method_declaration (modifiers (native))) @native (method_invocation name: (identifier) @name (#match? @name "^(exec|System\\.load)$"))',
+                ecosystemBlunders: '(catch_clause body: (block . ))' // Empty catch
+            }
+        },
+        '.rs': {
+            grammarPath: '../../vendor/grammars/tree-sitter-rust.wasm',
+            extensions: ['.rs'],
+            queries: {
+                complexity: '(if_expression) (for_expression) (while_expression) (loop_expression) (match_arm)',
+                nesting: '(if_expression (block (if_expression))) (for_expression (block (for_expression)))',
+                parameters: '(parameters (parameter) @param)',
+                methods: '(impl_item (function_item)) @method (function_item) @method',
+                securitySinks: '(unsafe_block) @unsafe',
+                ecosystemBlunders: '(call_expression function: (field_expression field: (field_identifier) @id (#eq? @id "unwrap")))' // .unwrap()
+            }
+        },
+        '.cs': {
+            grammarPath: '../../vendor/grammars/tree-sitter-c_sharp.wasm',
+            extensions: ['.cs'],
+            queries: {
+                complexity: '(if_statement) (for_statement) (foreach_statement) (while_statement) (switch_section)',
+                nesting: '(if_statement (block (if_statement))) (for_statement (block (for_statement)))',
+                parameters: '(parameter_list (parameter) @param)',
+                methods: '(method_declaration) @method',
+                securitySinks: '(attribute name: (identifier) @attr (#eq? @attr "DllImport")) @violation'
+            }
+        },
+        '.cpp': {
+            grammarPath: '../../vendor/grammars/tree-sitter-cpp.wasm',
+            extensions: ['.cpp', '.cc', '.cxx', '.h', '.hpp'],
+            queries: {
+                complexity: '(if_statement) (for_statement) (while_statement) (case_statement)',
+                nesting: '(if_statement (compound_statement (if_statement)))',
+                parameters: '(parameter_list (parameter_declaration) @param)',
+                methods: '(function_definition) @method',
+                securitySinks: '(call_expression function: (identifier) @name (#match? @name "^(malloc|free|system|popen)$"))'
+            }
+        }
+    };
+    supports(file) {
+        const ext = path.extname(file).toLowerCase();
+        return ext in this.languages;
+    }
+    async run(context) {
+        const failures = [];
+        const ext = path.extname(context.file).toLowerCase();
+        const config = this.languages[ext];
+        if (!config)
+            return [];
+        if (!this.parser) {
+            await Parser.init();
+            this.parser = new Parser();
+        }
+        try {
+            const Lang = await Parser.Language.load(path.resolve(__dirname, config.grammarPath));
+            this.parser.setLanguage(Lang);
+            const tree = this.parser.parse(context.content);
+            const astConfig = this.config.ast || {};
+            // 1. Structural Methods Audit
+            const methodQuery = Lang.query(config.queries.methods);
+            const methodMatches = methodQuery.matches(tree.rootNode);
+            for (const match of methodMatches) {
+                for (const capture of match.captures) {
+                    const node = capture.node;
+                    const name = node.childForFieldName('name')?.text || 'anonymous';
+                    // SME: Cognitive Complexity (Nesting depth + Cyclomatic)
+                    const nesting = Lang.query(config.queries.nesting).captures(node).length;
+                    const cyclomatic = Lang.query(config.queries.complexity).captures(node).length + 1;
+                    const cognitive = cyclomatic + (nesting * 2);
+                    if (cognitive > (astConfig.complexity || 10)) {
+                        failures.push({
+                            id: 'SME_COGNITIVE_LOAD',
+                            title: `Method '${name}' has high cognitive load (${cognitive})`,
+                            details: `Deeply nested or complex logic detected in ${context.file}.`,
+                            files: [context.file],
+                            hint: `Flatten logical branches and extract nested loops.`
+                        });
+                    }
+                }
+            }
+            // 2. Security Sinks
+            if (config.queries.securitySinks) {
+                const securityQuery = Lang.query(config.queries.securitySinks);
+                const sinks = securityQuery.captures(tree.rootNode);
+                for (const capture of sinks) {
+                    failures.push({
+                        id: 'SME_SECURITY_SINK',
+                        title: `Unsafe function call detected: ${capture.node.text}`,
+                        details: `Potentially dangerous execution in ${context.file}.`,
+                        files: [context.file],
+                        hint: `Avoid using shell execution or eval. Use safe alternatives.`
+                    });
+                }
+            }
+            // 3. Ecosystem Blunders
+            if (config.queries.ecosystemBlunders) {
+                const blunderQuery = Lang.query(config.queries.ecosystemBlunders);
+                const blunders = blunderQuery.captures(tree.rootNode);
+                for (const capture of blunders) {
+                    failures.push({
+                        id: 'SME_BEST_PRACTICE',
+                        title: `Ecosystem anti-pattern detected`,
+                        details: `Violation of ${ext} best practices in ${context.file}.`,
+                        files: [context.file],
+                        hint: `Review language-specific best practices (e.g., error handling or mutable defaults).`
+                    });
+                }
+            }
+        }
+        catch (e) {
+            // Parser skip
+        }
+        return failures;
+    }
+}

package/dist/gates/ast.d.ts

@@ -2,9 +2,7 @@ import { Gate, GateContext } from './base.js';
 import { Failure, Gates } from '../types/index.js';
 export declare class ASTGate extends Gate {
     private config;
+    private handlers;
     constructor(config: Gates);
     run(context: GateContext): Promise<Failure[]>;
-    private analyzeSourceFile;
-    private checkBoundary;
-    private getNodeName;
 }